MFA on AAD-joined Device - Prompt on M365 App Access

Brass Contributor

Hi community,

I'm working with a customer who insists on having an MFA prompt when accessing M365 resources (Outlook, SharePoint, OneDrive...). They are currently using RSA and Citrix, and used to providing an OTP to log in.


The devices they are using is AAD joined and Intune-managed, which means that MFA is satisfied quietly. They don't have WHfB, so they log in with a username/password. Of course the login is successful, but they don't get prompted for MFA (by design).


Despite me showing them that MFA is satisfied when investigating the sign-in logs, they argue that is is not secure, their argument being "What is someone's laptop is stolen and they have their username/password stuck at the bottom? How will this MFA then help secure them?"... which in honesty, is a valid concern. Obviously, this is an issue in itself, but not an impossible scenario.

In this scenario, what would be the mitigation? I'm thinking a push to WHfB would help, but then the argument will be "Oh well, what happens when a user has their PIN stuck to the bottom of their laptop....". 

Is there a way I can force MFA for them on their Office apps to give them a level of comfort until they move to WHfB and can consider a biometric-type login?

Thanks in advance

0 Replies